Example: jola
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CostServices",
"Effect": "Allow",
"Action": [
"ce:*",
"budgets:*",
"aws-portal:*Usage",
"aws-portal:*PaymentMethods",
"aws-portal:*Billing",
"pricing:DescribeServices",
"wellarchitected:*",
"savingsplans:*"
],
"Resource": "*"
},
{
"Sid": "S3ManagementCUR",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::hola"
]
},
{
"Sid": "AthenaGlueAndServiceReadAccess",
"Effect": "Allow",
"Action": [
"athena:*",
"glue:*",
"iam:ListRoles",
"iam:ListPolicies",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "QuickSightAccess",
"Effect": "Allow",
"Action": [
"quicksight:CreateUser",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Sid": "IAMAccessForGlue",
"Effect": "Allow",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::(Cost Optimization Member Account ID):role/service-role/AWSGlueServiceRole-Cost*",
"arn:aws:iam::(Cost Optimization Member Account ID):policy/service-role/AWSGlueServiceRole-Cost*"
]
},
{
"Sid": "S3AccessForAthena",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Sid": "FullS3AccessForBucketsWithSpecificPrefix",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::cost*"
]
}
]
}